b'Review of NASA\xe2\x80\x99s Computer Security Incident Detection and Handling Capability (IG-12-017,\nAugust 7, 2012)\n\nThe NASA Office of Inspector General (OIG) conducted an audit to evaluate the effectiveness\nwith which NASA\xe2\x80\x99s Security Operations Center (SOC) manages the Agency\xe2\x80\x99s computer security\nincident detection and handling program to prevent unauthorized cyber intrusions into Agency\nnetworks.\n\nNASA consolidated its previously Center-based computer security incident detection and\nresponse programs into the SOC in November 2008 in an effort to improve its capability to\ndetect and respond to evolving threats posed by increasingly sophisticated cyber attacks. The\nSOC is intended to provide a single, Agency-wide computer security incident handling\ncapability. Located at Ames Research Center, the SOC provides centralized, continuous\nmonitoring of computer network traffic entering and leaving NASA Centers and includes an\ninformation system (the Incident Management System) for Agency-wide coordination, tracking,\nand reporting of information technology (IT) security incidents.\n\nIn general, we found that the SOC has improved NASA\xe2\x80\x99s computer security incident handling\ncapability by providing continuous incident detection coverage for all NASA Centers. In\naddition, the SOC\xe2\x80\x99s communication processes, including weekly conference calls and security\nbulletins, were effective for sharing security incident and threat information with responders\nacross the Agency. NASA has also implemented an effective information system that enables\nAgency-wide management and reporting of IT security incidents.\n\nHowever, we also found that the SOC does not currently monitor all of NASA\xe2\x80\x99s computer\nnetworks. Even though networks we reviewed had their own incident management program that\nincluded network monitoring, dedicated staff to respond to incidents and documented processes\nthe networks\xe2\x80\x99 management programs do not provide the centralized continuous monitoring\ncoverage afforded by the SOC. In addition, NASA needs to increase its readiness to combat\nsophisticated but increasingly common forms of cyber attack known as Advanced Persistent\nThreats (APTs). APTs are typically designed to bypass the target\xe2\x80\x99s firewalls, intrusion detection\nsystem, and other perimeter defenses and are launched by well-organized and well-funded\nindividuals or entities. Moreover, even after the target organization addresses the vulnerability\nthat permitted the attack to succeed, the attacker may covertly maintain a foothold inside the\ntarget\xe2\x80\x99s system for future exploits. The increasing frequency of APTs heightens the risk that key\nAgency networks may be breached and sensitive data stolen.\n\nTo enhance NASA\xe2\x80\x99s capability to detect and prevent sophisticated cyber attacks and improve\noverall SOC availability, the OIG report made three recommendations to the Chief Information\nOfficer. She concurred with our recommendations and proposed corrective actions that that we\nconsider responsive.\n\x0cTHE FULL VERSION OF THIS REPORT INCLUDES MATERIAL NASA CONSIDERS\nSENSITIVE BUT UNCLASSIFIED INFORMATION WHICH, IF DISTRIBUTED WIDELY,\nCOULD POSE A SECURITY THREAT TO NASA COMPUTER SYSTEMS\n\x0c'